To print the text from this module, select "Print" from the "File" menu.
When you're finished, select "Close" from the "File" menu to return to the course.
There are two primary constitutional provisions which impact on the analysis of computer crime cases. The Fourth Amendment will present counsel with the bulk of issues, but you should also be on the watch for First Amendment issues. In this section, we will concentrate on the Fourth Amendment.
The Fourth Amendment states, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated."
Fourth Amendment issues are difficult enough in the physical world but they present potentially even more difficult issues in the cyberworld. To help ease you into those issues, we will discuss a Supreme Court case that forms the basis for some important search and seizure issues and two military cases that illustrate some of the difficulties you will encounter in analyzing government activities. Those cases are O’Connor v. Ortega, United States v. Monroe, and United States v. Simons. Let's examine each case.
The O'Connor v. Ortega case revolved around a physician and psychiatrist, who, as an employee of a state hospital, had primary responsibility for training physicians in the psychiatric residency program. Hospital officials became concerned about possible improprieties in his management of the program, particularly with respect to his acquisition of a computer, charges against him concerning sexual harassment of female hospital employees, and inappropriate disciplinary action against a resident. While on administrative leave pending investigation of these charges, hospital officials searched his office and seized personal items from his desk and file cabinets that were used in the administrative proceedings resulting in his discharge. The respondent filed an action against the hospital officials in Federal District Court under 42 U.S.C. Section 1983, alleging that the search of his office violated the Fourth Amendment.
In O'Connor v. Ortega, the Supreme Court introduced a distinct framework for evaluating warrantless searches in government workplaces, a framework that can be extended to apply to computer searches. In O'Connor v. Ortega, the Supreme Court commented that it is well settled that individuals do not lose Fourth Amendment rights merely because they work for the government instead of a private employer. In addition, the restrictions of the Fourth Amendment have long been applied to the conduct of government officials such as school officials and building and safety inspectors. Based on this precedent, the Court found that searches and seizures by government employers or supervisors of the private property of their employees are also subject to the requirements of the Fourth Amendment. The Court determined, however that public employees' expectations of privacy in their offices, desks, and file cabinets, like similar expectations of employees in the private sector, may be reduced by virtue of actual office practices and procedures, or by legitimate regulation.
The Court cautioned that given the great variety of work environments in the public sector, the question of whether an employee has a reasonable expectation of privacy must be addressed on a case-by-case basis. For this reason, searches of a DoD employee's computer should be evaluated in each case based on several factors. In determining whether or not there was a reasonable expectation of privacy consider whether or not there were consent banners on the computer, whether the employee signed a user agreement that would have lowered privacy expectations, whether DoD or a subordinate unit has a well publicized policy lowering privacy expectations, whether the computer is shared or not, whether the computer is in a private office or not, and whether the unit has a policy of conducting periodic inspections of employee's computers.
The Court went on to find that there are two kinds of searches employers can conduct that are considered reasonable and therefore do not require a warrant. The first is a non-investigatory work-related intrusion. An example of this is when, in the absence of an employee, an employer enters the employee's desk to retrieve a work-related file. In the same way, the employer can retrieve the work-related file from the employee’s computer hard drive with the assistance of the network administrator. The second kind of search is an investigatory search for evidence of suspected work-related employee malfeasance, such as inefficiency, incompetence, mismanagement or other work-related misfeasance.
The Court then addressed the standard of reasonableness which applies to these two kinds of searches. In balancing the government’s interest in ensuring the efficient and proper operation of the workplace against the employee’s privacy interests, the court established a reasonableness under all the circumstances standard for these intrusions. Under this standard, both the inception and scope of the intrusion must be reasonable. The Court explained that a search of an employee's office by a supervisor will be "justified at its inception" when there are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related misconduct, or that the search is necessary for a noninvestigatory, work-related purpose such as to retrieve a needed file. The search will be permissible in its scope when the search procedures are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct. The Court specifically did not address the appropriate standards to apply when an employee is being investigated for criminal misconduct or breaches of other nonwork-related statutory or regulatory standards. Because some military supervisors also function in a quasi-prosecutorial or law enforcement mode (for example, commanders and first sergeants) attorneys should proceed with extreme caution under the work-related misconduct search.
Military attorneys should approach the "work-related" exception for employers with extreme caution. In many cases the military "employer" may also occupy a prosecutorial-type role which would highly complicate the application of this exception. In order to ensure evidence obtained in computer searches can be used in UCMJ actions, a more conservative approach would be recommended.
The lead military case in the area of the Fourth Amendment as applied to computer searches is United States v. Monroe, 52 M.J. 326 (CAAF 2000). This case involved the search of a serviceman's email account, located on an electronic mail host owned by the United States Air Force that allowed a user to access the Defense Data Network and the Internet through a logon and private password. Accounts were available for official business, although users were allowed to use them to send and receive limited textual and morale messages to and from friends and family. Each time a user logged on to the email host, he or she received a banner message stating, "USERS LOGGING ONTO THIS SYSTEM CONSENT TO MONITORING BY THE HOSTADM." Incoming email messages were normally sent to a directory on the host where they would be read, sorted, and sent to the recipient’s email account by a computer program. Certain messages, such as those that were defective or of excessive size, were not sent and accumulated in the directory. They were then deleted after 72 hours. On the occasions where software errors prevented this automatic deletion, the host system slowed considerably.
On one occasion, the email host administrator and the base-wide area network administrator found 59 messages stuck in the email queue directory. In an effort to identify the source of the problem, several messages were opened and the header of the messages revealed they were addressed to a user known as "monroer." They also noticed that the messages were sent from newsgroups with sexually oriented names. To determine why the files did not process and to clear them from the system, the administrators moved the messages to a directory outside the email queue. Thirty three of the messages contained photographs and were transferred to a separate computer, where in a continuing effort to determine the cause of the system problem, a few were opened and discovered to contain sexually explicit photographs of adult women.
The administrators then sought to find out whether this material was requested or whether Monroe was the victim of a prank. To do this, they opened Monroe's email account. They found one message he sent to "wsnet.com," the sender of the 59 files in question, reminding them to "send the file." They also found a message containing instructions on how to access the material and a listing of newsgroups. Convinced that Monroe had not been the victim of a prank, they decided to report the matter.
Monroe moved to suppress the initial email messages and attachments as having been obtained in violation of his Fourth Amendment rights. He asserted that the system administrators exceeded their authority in opening 59 of his emails because they essentially moved into a law enforcement role in so doing. The court disagreed. It found that the accused had no reasonable expectation of privacy in emails that were clogging the government server. Even if Monroe had some expectation of privacy, the system administrators could access the material in the email box, as long as they acted within the scope of their official duties. The court found, the system administrators "were doing what they had a responsibility to do in order to insure the base network was operating at maximum efficiency, and all their actions were taken to achieve that end." The system administrators were not acting as agents of law enforcement.
The court in Monroe upheld the finding that there was no reasonable expectation of privacy in the files on the email host, which resided on a government server, at least from the system administrator. The Air Force court had compared the email host to an unsecured file cabinet in a superior's work area. Note the different treatment of a government server and government-provided personal computer. The former generally carries with it no reasonable expectation of privacy, while the latter must be assessed on a case-by-case basis using an O'Conner v. Ortega type analysis. Any potential expectation of privacy would have additionally been negated by the consent banners. Additionally, the system administrator's reading of the contents of the stuck emails while troubleshooting a problem was proper under the "system provider exception" to the Electronic Communication Privacy Act. This Act will be addressed more thoroughly later.
In general, government employees who are notified that their employer has retained rights to access or inspect information stored on the employer's computers can have no reasonable expectation of privacy in the information stored there. For example, in United States v. Simons, 206 F.3d 392 (4th Cir. 2000), computer specialists at a division of the Central Intelligence Agency learned that an employee named Mark Simons had been using his desktop computer at work to obtain pornography available on the Internet, in violation of CIA policy. The computer specialists accessed Simons' computer remotely without a warrant, and obtained copies of over a thousand picture files that Simons had stored on his hard drive. Many of these picture files contained child pornography, which were turned over to law enforcement.
When Simons filed a motion to suppress the fruits of the remote search of his hard drive, the Fourth Circuit held that the CIA division's official Internet usage policy eliminated any reasonable expectation of privacy that Simons might otherwise have in the copied files. The policy stated that the CIA division would "periodically audit, inspect, and/or monitor each user's Internet access as deemed appropriate," and that such auditing would be implemented "to support identification, termination, and prosecution of unauthorized activity." Simons did not deny that he was aware of the policy. In light of the policy, the Fourth Circuit held, Simons did not retain a reasonable expectation of privacy "with regard to the record or fruits of his Internet use," including the files he had downloaded.
Arguably DoD has a policy that meets the Simons' criteria in DoD Directive 8500.1 and DoD Instruction 8500.2. Nevertheless, some senior government attorneys have taken the position that reliance on this factor alone should be avoided until Simons' is more widely adopted by other circuits. In the interim, use the policy as a factor and consider other factors also, such as the presence of required consent banners and other Ortega-type factors. It should be noted that the court separately analyzed the remote search of Simons' computer (from a system administrator's computer) and the physical search of Simons' computer (effected by physically entering Simons' office). In the latter, not only must one consider Simons' reasonable expectation of privacy in his computer files, but any reasonable expectation of privacy he may or may not enjoy in his office.
Select the correct response to the question.
Select the correct response to the question.
In this topic, we looked at Cyberlaw's Constitutional background in the Fourth Amendment — and some examples of case law — O'Connor v. Ortega, U.S. v. Monroe, and U.S. v. Simons. Government employees have a right to expect privacy in the workplace but office practices and procedures may limit that privacy. Now let's turn our attention to some of the statutory limits on investigations.